In The Wild: Breaking Mobile Security Paradigms… Again

Security researchers have shattered the mobile security paradigm once again. They’ve managed to bypass Android two-factor authentication, and iOS is proven vulnerable again both to exploits and malware. It has become very clear: traditional defenses are simply not enough. Users must implement advanced measures to stay safe.

Two Factor Authentication Bypass: There’s No Place to Hide from “Everywhere Computing”

2FA is a security measure which authenticates the user’s identity using more than one method. The most common example is a use of a one-time passcode sent by SMS on top of the regular password. Today, 2FA is what stops cyber-criminals that have access to your browser from accessing your financial accounts. The new attack, however, can render this protection useless.

Researchers have demonstrated how an attacker in control over a PC browser belonging to any Google services user can compromise the security of his Android device. The attacker can do so by pushing a rogue app to the device that spies on incoming text messages.

Android has implemented a security feature intended to tackle this attack vector in the past by deactivating the app’s broadcast receivers until the user first opens the app. A broadcast receiver is an Android API designed to respond to events on the device, such as incoming SMS.

Nevertheless, attackers still have a nifty way to circumvent this defense mechanism. The attacker replaces one of the user’s bookmarks with a URL referring to the malicious activity (predefined as a “browsable activity”). This takes care of the attacker needing to activate the malware on the victim’s device.

The whole attack is conducted purely from the compromised PC browser, without any need to access the device directly. This attack vector will allow attackers to bypass the Two Factor Authentication (2FA) security measure so they can make their way into your bank account.

Brick Your Phone Like It’s the 70’s Again

Following the rather humoring 1970 bug in iOS, a new attack vector could take an attack even further. By creating a malicious hotspot, attackers could take advantage of the 1970 vulnerability to brick iOS devices with versions before 9.3. This is made possible on iOS devices which, like many others, are programmed to connect automatically to known Wi-Fi hotspots.

An attacker could easily spoof a known network name to make the device connect to his network instead. Once connected, the attacker can take advantage of the fact iOS devices constantly check their time and date settings with the Network Time Protocol servers. The attackers can spoof the input from their Network Time Protocol server to set the iOS device’s time to the 1.1.1970 (epoch zero), thus bricking the device.

Attackers use malicious hotspots to target users as part of MiTM attack, as in the example of a real attack we have described in the past. Nothing can stop them from doing the same in this case.

Additional Lessons from BlackHat Asia

Along with Sidestepper, another iOS flaw was presented in the conference. A non-jailbroken device can run uncertified code when signed with a developer certificate. Attackers can use this to install a seemingly legitimate known app while embedding malware within it. All they need to do is recompile the legitimate app to include the malicious code using open source tools such as Theos-jailed.

When installed on the device, the app will hide the original app’s icon, evading the user’s suspicion and common security measures, as well as Apple’s security methods. Only advanced security solutions will be able to detect such a threat. This demonstrates how easily malware can be created by unprofessional attackers, even for the supposedly secure iOS.

Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.